Alerts
Alerts
Zero-Day Tracker
Common Name:
ASX Playlist
Date Disclosed:
11/22/2006
Date Patched:
12/12/2006
Vendor:
Microsoft
Application:
Windows Media Player
Description:
The Windows Media Player library WMVCORE.DLL contains a potentially exploitable heap buffer overflow in its handling of "REF HREF" URLs within ASX files. If the URL contains an unrecognized protocol (only "file", "ftp", "http", "https", "mms", "mmst", "mmsu", "rtsp", "rtspt", and "rtspu" appear to be recognized), the function at 7D7A8F27 in WMVCORE.DLL version 9.0.0.3250, and at 086E586E in WMVCORE.DLL version 10.0.0.3802, will create a copy of the string in which the protocol is replaced with "mms". A heap buffer is allocated, the string "mms" is copied into it, and then everything after and including "://" in the "REF HREF" URL is concatenated using wcsncat.
Unfortunately, the heap buffer for the new "mms" URL is allocated to the size of the "REF HREF" URL, and even more unfortunately, the length of the input string being passed to wcsncat is supplied as the character count, effectively causing wcsncat to behave identically to wcscat. As a result, a two- or four-byte heap overflow is possible if the "REF HREF" URL features a protocol shorter than three characters (the length of "mms").
Single-letter protocols (such as "a://") are rejected, but this restriction can be circumvented by encoding the protocol ("%61://"), thereby making a four-byte overflow possible.
Exploitability due to the corruption of the adjacent heap block's header is assumed likely but research is ongoing.
Severity:
High
Code Execution:
Likely - Research Is Ongoing
Impact:
Arbitrary code execution under the context of the logged in user
.ASX files are auto-opened when viewed within a Web Browser, which allows this vulnerability to be exploited across the internet via malicious web pages or e-mails which could execute arbitrary code under the context of the user who opened the .ASX file. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Mitigation:
The simplest form of mitigation is to disable Windows Media Player from auto-opening .ASX files. This can be performed two ways:
Windows Explorer: Tools -> Folder Options -> File Types - Set "ASX" to something other than Windows Media Player (default).
Registry: HKEY_USERS\<ALL_USER_GUIDS>\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\Application=<*NOT_WMP*>.exe. This method allows for automation across a larger network.
Protection:
Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)
Links:
First Public PoC Code Disclosure (Denial of Service)
MSRC Blog - Public Proof of Concept Code for ASX File Format Isssue
Status:
11/22/2006: Vulnerability disclosed to BugTraq.
12/7/2006: Microsoft Blog Posted
12/12/2006: Microsoft Patch Released
Common Name:
ASX Playlist
Date Disclosed:
11/22/2006
Date Patched:
12/12/2006
Vendor:
Microsoft
Application:
Windows Media Player
Description:
The Windows Media Player library WMVCORE.DLL contains a potentially exploitable heap buffer overflow in its handling of "REF HREF" URLs within ASX files. If the URL contains an unrecognized protocol (only "file", "ftp", "http", "https", "mms", "mmst", "mmsu", "rtsp", "rtspt", and "rtspu" appear to be recognized), the function at 7D7A8F27 in WMVCORE.DLL version 9.0.0.3250, and at 086E586E in WMVCORE.DLL version 10.0.0.3802, will create a copy of the string in which the protocol is replaced with "mms". A heap buffer is allocated, the string "mms" is copied into it, and then everything after and including "://" in the "REF HREF" URL is concatenated using wcsncat.
Unfortunately, the heap buffer for the new "mms" URL is allocated to the size of the "REF HREF" URL, and even more unfortunately, the length of the input string being passed to wcsncat is supplied as the character count, effectively causing wcsncat to behave identically to wcscat. As a result, a two- or four-byte heap overflow is possible if the "REF HREF" URL features a protocol shorter than three characters (the length of "mms").
Single-letter protocols (such as "a://") are rejected, but this restriction can be circumvented by encoding the protocol ("%61://"), thereby making a four-byte overflow possible.
Exploitability due to the corruption of the adjacent heap block's header is assumed likely but research is ongoing.
Severity:
High
Code Execution:
Likely - Research Is Ongoing
Impact:
Arbitrary code execution under the context of the logged in user
.ASX files are auto-opened when viewed within a Web Browser, which allows this vulnerability to be exploited across the internet via malicious web pages or e-mails which could execute arbitrary code under the context of the user who opened the .ASX file. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Mitigation:
The simplest form of mitigation is to disable Windows Media Player from auto-opening .ASX files. This can be performed two ways:
Windows Explorer: Tools -> Folder Options -> File Types - Set "ASX" to something other than Windows Media Player (default).
Registry: HKEY_USERS\<ALL_USER_GUIDS>\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\Application=<*NOT_WMP*>.exe. This method allows for automation across a larger network.
Protection:
- eEye's Blink® Personal Edition protects from this vulnerability.
- eEye's Blink® Professional Edition protects from this vulnerability.
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)
Links:
First Public PoC Code Disclosure (Denial of Service)
MSRC Blog - Public Proof of Concept Code for ASX File Format Isssue
Status:
11/22/2006: Vulnerability disclosed to BugTraq.
12/7/2006: Microsoft Blog Posted
12/12/2006: Microsoft Patch Released
